reverse-php-malware/revphp at master · balagpy/reverse-php-malware · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/usr/bin/env php
<?php
# $Id: revphp,v 1.35 2016/04/12 02:40:07 bediger Exp $
require 'vendor/autoload.php';
include('SymbolTable.php');
include('RevPHPNodeVisitor.php');

use PhpParser\NodeTraverser;
use PhpParser\ParserFactor;
use PhpParser\PrettyPrinter;

$remove_comments = true;

$cmdline = getopt("Cf:F:D:r:");

if (isset($cmdline['C'])) $remove_comments = false;

$replacement_func_names = array();
if (isset($cmdline['F'])) {
	if (count($cmdline['F']) > 1) {
		foreach ($cmdline['F'] as $replace) {
			$a = explode('=', $replace);
			$replacement_func_names[$a[0]] = $a[1];
		}
	} else {
		$a = explode('=', $cmdline['F']);
		$replacement_func_names[$a[0]] = $a[1];
	}
}

$extra_functions = array();
if (isset($cmdline['f'])) {
	if (count($cmdline['f']) > 1) {
		foreach ($cmdline['f'] as $func) {
			$extra_functions[] = $func;
		}
	} else
		$extra_functions[] = $cmdline['f'];
}

$replaced_functions = array();
if (isset($cmdline['r'])) {
	if (count($cmdline['r']) > 1) {
		foreach ($cmdline['r'] as $func) {
			$replaced_functions[] = $func;
		}
	} else
		$replaced_functions[] = $cmdline['r'];
}

$special_functions = array();
if (isset($cmdline['D'])) {
	# File name with PHP code to eval, and then use
	# the functions as "functions of interest",
	$special_function_names = parse_and_eval($cmdline['D']);
	foreach ($special_function_names as $fn) {
		$special_functions[] = $fn;
	}
}

$input_filename = $argv[$argc - 1];

$code = file_get_contents($input_filename);

$parser        = (new PhpParser\ParserFactory)->create(PhpParser\ParserFactory::PREFER_PHP7);
$traverser     = new PhpParser\NodeTraverser;
$prettyPrinter = new PhpParser\PrettyPrinter\Standard;

$traverser->addVisitor(
	new RevPHPNodeVisitor(
		$extra_functions, $special_functions, $replaced_functions,
		$remove_comments, $replacement_func_names
	)
);

try {
   	$stmts = $parser->parse($code);
}
catch (PhpParser\Error $e) {
	fwrite(STDERR, 'Parse Error: '.$e->getMessage()." in {$input_filename}\n");
	exit;
}

$stmts = $traverser->traverse($stmts);

$code = "<?php\n" . $prettyPrinter->prettyPrint($stmts)."\n";
echo $code;

exit;

/*
set_error_handler('exceptions_error_handler');

function exceptions_error_handler($severity, $message, $filename, $lineno) {
  if (error_reporting() == 0) {
    return;
  }
  if (error_reporting() & $severity) {
    throw new ErrorException($message, 0, $severity, $filename, $lineno);
  }
}
*/

function parse_and_eval($filename)
{
	$parser        = (new PhpParser\ParserFactory)->create(PhpParser\ParserFactory::PREFER_PHP7);
	$traverser     = new PhpParser\NodeTraverser;
	$prettyPrinter = new PhpParser\PrettyPrinter\Standard;

	$func_finder = new FuncPHPNodeVisitor();

	$traverser->addVisitor($func_finder);

	try {
		$code = file_get_contents($filename);
		$traverser->traverse($parser->parse('<?php '.$code));
	}
	catch (PhpParser\Error $e) {
		fwrite(STDERR, 'Parse Error: '.$e->getMessage()." in {$filename}\n");
		exit;
	}
	$names = $func_finder->function_names;
	if (isset($names) && count($names) > 0) {
		eval(file_get_contents($filename));
	} else {
		fwrite(STDERR, "Found no PHP functions in $filename\n");
	}
	return $names;
}